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Abstract. We present a new, high-level approach for the specification of 
model-to-model transformations based on declarative patterns. These are 
(atomic or composite) constraints on triple graphs declaring the allowed 
or forbidden relationships between source and target models. In this way, 
a transformation is defined by specifying a set of triple graph constraints 
that should be satisfied by the result of the transformation. 
The description of the transformation is then compiled into lower-level 
operational mechanisms to perform forward or backward transforma- 
tions, as well as to establish mappings between two existent models. In 
this paper we study one of such mechanisms based on the generation 
of operational triple graph grammar rules. Moreover, we exploit deduc- 
tion techniques at the specification level to generate more specialized 
constraints (preserving the specification semantics) reflecting pattern de- 
pendencies, from which additional rules can be derived. 
This is an extended version of the paper submitted to ICGT'08, with 
additional definitions and proofs. 

1 Introduction 

Model-Driven Development (MDD) [1] is a software engineering paradigm where 
models are the core asset. They are used to specify, simulate, test, verify and 
generate code for the application to be built. Most of these activities include 
the specification and execution of model transformations, some of them between 
different languages. The transformation of a model conformant to a meta-model 
into another one conformant to a different meta-model is called model-to-model 
(M2M) transformation, and is the topic of this paper. 

There are two main approaches to M2M transformation: operational and 
declarative. The first one is based on rules or instructions that explicitly state 
how and when the elements of the target model should be created starting from 
the elements of the source one. In declarative approaches, a description of the 
mappings between the source and target models is provided. This description 
states the relation that should hold between two models rather than how to 
create and link their elements. Declarative approaches are higher- level than op- 
erational ones since they form a compact description of a set of (operational) 
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rules. In addition, they are inherently bidirectional because they do not specify 
any causality. Thus, they bring together in a single specification forward (i.e. 
source-to-target) and backward (i.e. target-to-source) transformations. 

The state-of-the-art on declarative M2M transformation notations includes 
a handful of languages (see Section [S]). However, sometimes they lack a formal 
foundation and analysis techniques able to prove properties of the transforma- 
tion [2]. In other cases, specifications are not fully declarative and may require a 
control mechanism or defining a causality between existing elements and those 
to be created in a given relation |3l4j , introducing some degree of operationality. 

The state-of-the-art on declarative M2M transformation notations includes 
a handful of languages (see Section [SI). However, sometimes they lack a formal 
foundation and analysis techniques able to prove properties of the transforma- 
tion [2]. In other cases, specifications are not fully declarative and may require a 
control mechanism or defining a causality between existing elements and those 
to be created in a given relation |3|4j , introducing some degree of operationality. 

In this paper, we propose a purely declarative, formal approach to M2M 
transformation based on triple patterns to express the relations between source 
and target models. These are similar to graph constraints [5] but for triple graphs, 
made of two graphs related through an intermediate one. Patterns can specify 
positive (the relation they declare must hold) or negative information (the rela- 
tion must not hold) and can be constrained by positive and negative restrictions. 
This high-level specification is compiled into lower-level mechanisms based on 
triple graph grammar operational rules [4] to achieve forward and backward 
transformations, as well as to relate two existing models. The compilation is 
performed in two steps. First, we employ deduction rules to derive additional 
patterns that refiect pattern dependencies and refine existing patterns with neg- 
ative restrictions. Then, a rule for the chosen transformation direction is derived 
from each pattern. 

The advantages of our technique are the following. First, it is purely declar- 
ative, based on patterns and constraints. This contrasts with other declarative 
approaches (such as Triple Graph Grammars (TGGs) [31416] ) where a causality 
has to be given between the existing elements and the ones that have to be 
created. As we consider and exploit interactions between patterns, these depen- 
dencies are automatically derived. Second, it has a formal foundation that allows 
the study of the M2M specification, in both declarative (i.e. patterns) and opera- 
tional (i.e. derived rules) formats. Finally, we have devised deduction techniques, 
able to derive semantic information from the very patterns. For example, having 
a positive pattern demanding a certain structure and a negative one forbidding 
its duplication allows generating two rules: one creating the structure if it is not 
present, and another one reusing it if it already exists. 

Paper Organization. Section[2|introduces triple graphs and patterns. Section[3| 
presents the deduction rules. Section[3|shows how to derive operational rules from 
a pattern specification. Section [5| proposes some analysis techniques for M2M 
specifications. Section [6| relates the most prominent declarative approaches to 
M2M transformation with our proposal and Section [7| ends with the conclusions. 



2 Specifying Transformations: Triple Patterns 



This section introduces the different kinds of triple patterns, their satisfiabihty 
and the characteristics of the underlying operational mechanisms. These con- 
cepts rely on the notion of triple graph, which we introduce first. 

Triple graphs are made of two graphs related through an intermediate one. 
We can use any graph model for these three graphs, from standard unattributed 
graphs {V; E]s,t: E V) to more complex attributed graphs (e.g. E-graphs 0). 

Def. 1 (Triple Graph) A triple graph TrG = [Gs^Gc^Gt.cs: Vg, Vb,, 
ct: Vg^ — > VgJ is made of two graphs Gs and Gt called source and target, 
related through the nodes of the correspondence graph Gc- 

Nodes in the correspondence graph Gc have morphisms to nodes of the source 
and target graphs. If 3m G Vg^ s.t. x m y we write x rel y. Other kinds 
of mappings could be used as well, for example the simpler one in , where the 
correspondence functions are graph morphisms or the more complex one in [7] 
where the correspondence functions can relate edges or be undefined. We use 
the notation TrG\x (for x S {s, t, c}) to refer to the Gx component of TrG, and 
write {Gs, Gt) for a triple graph with source and target graphs Gs and Gt, and 
(Gs, 0, Gt) for a triple graph with empty correspondence. 

Next, we define triple graph morphisms as a triple of graph morphisms that 
preserve the correspondence functions. 

Def. 2 (Triple Graph Morphism) A triple graph morphism f = (fg, f^, ft) '■ 
TrG^ TrG^ is made of three graph morphisms fx'. TrG^\x ^ TrG^\x (with 
X — {s, c, t} ), where fs\v° (^s^ ~ c-s"^ ° fc\v o.'^d ft\v° ct^ = ct^ ° fc\v- 

Source and target graphs can be typed by a type graph, or more in general 
by a meta-model, which includes inheritance [8]. In the latter case, we use the 
term model instead of graph. Given meta-model MM, L{MM) refers to the set 
of all valid models conformant to (typed by) it. Similarly, we use the notion of 
meta-model triple [7] for the typing of triple graphs. 

Triple patterns are similar to graph constraints |5I9| . but defined on triple 
graphs. We use them to describe the allowed and forbidden relationships between 
source and target models. We consider both simple and composite patterns. 

Def. 3 (Pattern) Given triple injective morphism q: G ^ Q and sets Npre = 
{ci-. Q ^ GtjiePre, Npost = {cj-. Q ^ Gj}jf=Post of negative pre- and post- 
conditions: 

- A ^(Cj) P{Q) A ^(Cj) is a simple pattern (S-Pattern). 

i^Pre j^Post 

- A ^V(Gj)AP(G) ^ P(g) A N{Cj) is a composite pattern (C-Pattern). 

i^Pre j^Post 

- N{Cj) is a negative pattern (N- Pattern). 



Remark. The notation P(-), N{-) and N{-) is just syntactic sugar to indicate 
a positive pre-condition, a negative pre-condition or a negative post-condition. 

Thus, an S-Pattern is made of a positive graph Q restricted by negative 
pre- and post-conditions (Pre and Post sets). The intuition is that Q should 
be present in triple graph TrG whenever no negative pre-condition d is found; 
and if Q is found, then no occurrence of the negative post-conditions should be 
found. That is, while pre-conditions express restrictions for the pattern Q to 
occur, post-conditions describe forbidden graphs. A C-Pattern is an S-Pattern 
with an additional positive pre-condition graph C. Thus an S-Pattern is a C- 
Pattern with C and q empty. Finally, an N-Pattern is a C-Pattcrn where C and 
Q are empty and there is only one negative post-condition, forbidden to occur. 

A M2M specification is a conjunction of simple and composite patterns. 

Def. 4 (M2M Specification) A M2M specification S ~ Aig/ Pi conjunc- 
tion of patterns, where each Pi can he simple, composite or negative. 
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Remark. For technical reasons, we assume that initially in a specification only 
N-patterns have negative post-conditions. This is not a restriction, as any post- 
condition can be expressed as an N-pattern. In fact, a M2M specification is 
usually made of just N- and S-patterns, from which we automatically derive C- 
patterns with positive pre-conditions encoding pattern dependencies, and trans- 
form N-patterns into post-conditions for the other patterns (see Section [3]) . 
Example. Fig. [T] shows some patterns in an ex- 
ample M2M specification, inspired by the class to 
relational database transformation [2]. S-Pattern 
C-T states that a C node (a class) that is not con- 
nected to another one (i.e. it does not have a par- 
ent) should be related to a T (table). S-Pattern 
A-Co states that a C node connected to an A (an 
attribute) , should be related to a T with a Co (col- 
umn). Differently from TGGs, wc don't need to 
specify here a positive pre-condition stating that 
a relation between a C and a T should already 
exist. This dependency is detected by the deduc- 
tion rules wc present in Scction[3l S-Pattern A-Co2 
specifies that in the case of two C nodes connected 
through an R (a directed relation), the associated 

T node of the source C should have as foreign key {F node) an attribute of the 
target class. Finally, N-Pattern notDupF forbids two Fs between two Ts. 

Next we define the satisfaction of a pattern. As S- and N-Patterns are special 
cases of C-Pattcrns, it is enough to formulate C-Pattcrn satisfaction. 
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Fig. 1. M2M Specification. 



Def. 5 (Pattern Satisfaction) Triple graphTrG satisfies CP = [f\iePre N{Ci)h 
P{C) ^ P{Q) A.ePo.t N{C,)], written TrG ^ CP, iff: 



- CP IS forward satisfiable, TrG Hf CP: [Vjti" : P, TrG s.t. (Vi £ Pre 
s.t. ^ Ps, ^nf : TrG with = nf o af), 3m: Q ^ TrG with 
mo = m*, s.t. Mj G Post ^rij : Cj — > TrG wit/i m = nj o Cj], 

- and CP is backwards satisfiable, TrG \=b CP: [Vm* : Pf TrG s.t. {\/i G 
Pre s.t. Nl^Pt, $nl : N* -> TrG with m* = n* o a*), 3m: Q ^ TrG with 
TO o g* = m*, s.t \/j G Post ^rij : Cj — > TrG wit/i m ^ rij o cj], 

with P, = C +c%^., ^C G,U and TVf ^ ^ Q (x G {s,t}), 
see i/ie /e/t o/ Pi;?. [IPI . 
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Fig. 2. Forward Satisfaction of Pattern (left). Forward Satisfaction Example 
(right). 



Remark. Morphisms : Px Q {x = {s,t}) uniquely exist due to the uni- 
versal pushout property (as C\x C Q = C\x Q\x ^ Q)- For the same 
reason, af : Px Nf uniquely exist (as C\x ^ C Nf = C\x ^ Q\x '^-^ 
Ci\x ^ N^). Moreover, b]. = Ci o g^.B 

C-Patterns have a universal quantification, therefore we split them into two 
directed constraints. For this purpose we demand that, in forward satisfaction, 
for each occurrence of Pg = Q\s +c\s ^ = {Q\s,C\c,C\t) satisfying the negative 
pre-conditions, an occurrence of Q must be found satisfying the negative post- 
conditions, see the left of Fig. [2l A positive pattern graph Q is satisfied either 
because no is found {vacuous satisfaction), because m'' and some negative 
pre-conditions are found {negative satisfaction) , or because m" and m are found 
and the negative pre- and post-conditions are not found {positive satisfaction). 
Note that if the resulting directed negative pre-condition iVf is isomorphic to Px, 
then it is not taken into account. This is needed as many pre-conditions express 
a restriction in either source or target but not on both. In addition to forward 
satisfaction, similar conditions are demanded for the target graph (backwards 
satisfiability). A graph satisfies specification 5 if it satisfies all its patterns. 
Example. The right of Fig.[2]shows the forward satisfaction of S-Pattern C-T by 
a triple graph. TrG \=p C ~T as there are two occurrences of to*, the first one 



^ A +B C is the pushout object of A and C through B. Similarly, A Xb C is the 
pullback object of A and C through C. 



is shown in the figure (upper node C in TrG) and is positively satisfied, while 
the second (lower C) is negatively satisfied. We also have TrG \=^b C — T, as 
there is just one m*, positively satisfied. This is because Nf = Pt, as we obtain 
a backward negative pre-condition with one T, which is isomorphic to Pt and 
thus the negative condition is not evaluated. Thus, TrG \= C — T. 

Please note that the specification does not explicitly state if a class with a 
parent should be connected with a table or not. An additional pattern could de- 
scribe such situation. The forward operational mechanism, presented in Section[4] 
does not add such table, as it minimally enforces the specification. 

Starting from a specification S, lower level operational mechanisms are de- 
rived to perform forward ( S) and backward transformations (S), as well as to 
relate two existing models { S ). These mechanisms are described next. 

Def. 6 (Operational Mechanisms) Specification S has the following associ- 
ated operational transformations: 

- Forward: A function 'S : Vs{MMs) ^ TrG with domain VsiMMs) = 
{Ms e L{MMs)\3{AIs,X) h S} s.t. VTl/, e Vs{MMs) [S{M,) ^ S] h 
[S{K'h)\s^Ms\. ^ 

- Backvkfards: A function ^ : Vt{MMt) TrG with domain Vt{MMt) = 
{Mt e L{MMt)\3{X,Mt) h S} s.t. 'iMt £ Vt{MMt) [S{Mt) ^ S] A 
[S{Mt)\t = Mt]. ^ 

- Relating: A function : Vst {M Mg x M Mt) TrG with domain Vst (MMsX 
MMt) = {{M,,Mt)\M, e L{MM,) A 3{M,,Mt) h S} s.t. WiMs,MT) G 
Vst{MMs,MMt) (s{Ms,Mt) h= S]h(s {Ms,Mt)\^ ^ MJ (x = {s,t}). 

The previous definitions arc similar to the concept of correct transformation 
given in [lOj . but in addition we forbid modifying the source (resp. target) model 
in forward (resp. backwards) transformations. 

Next section presents some deduction rules, able to annotate patterns with 
dependencies, and also generate new ones. 

3 Deduction and Annotation Mechanisms for Patterns 

Next we present the deduction rules that we use to: (i) generate new patterns that 
take dependencies into account, which guide the order of pattern enforcement 
by the operational mechanism; (ii) enrich S- and C-Patterns with pre- and post- 
conditions derived from other patterns; and (iii) deduce positive information 
from N-Patterns. For this purpose, we use two main operations: deduction, which 
infers new patterns, and annotation, which makes dependencies among patterns 
explicit. 

For example, from the specification in Fig. [1] the deduction rules generate 
a new pattern to refiect the dependency between C-T and A-Co (to take into 
account whether a pair (C, T) is already related, before relating a pair (A, Co)). 



The deduction rules also add negative post-conditions derived from the notDupF 
N-pattern to the rest of patterns, and produce new patterns that reuse part of 
notDupF so that duplication of F objects is not possible. 

Most deduction rules are based on the maximal intersection of two triple 
graphs, called maximal intersection object (MIO), which is defined next. 

Def. 7 (MIO) Given triple graphs TrGi and TrG2, a maximal intersection 
(MI) is given by a span of injective morphisms (TrGi <— ^ AI TrG'2), s.t. 

M ^?IA$ M' ^ M with {TrGi ^ M' ^ TrG2) and : M M' injective 
s.t. the diagram to the left of Fig. \^ commutes. Object AI is called MIO. 

MIOs are not unique, as the example to the right of Fig. [3] shows: Mi and 
AI2 are both MIOs, but not AI3 as Mi is bigger. The set of all Mis (resp. MIOs) 
of TrGi and TrGa is denoted by MI{TrGi,TrG2) (resp. Af/0(TrGi, TrGa)). 
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Fig. 3. Conditions for MIO (left). Example (right). 



Patterns in a specification may have dependencies that induce a certain or- 
der of enforcement by the operational mechanism. We make such dependencies 
explicit by annotating patterns with additional graphs, related to the positive 
graph Q. The dependency graphs are calculated by the intersection of two pat- 
terns, and can be interpreted as restrictions that must not hold when the pattern 
is operationally enforced. The notion of annotated pattern is defined next. 

Def. 8 (Annotated Pattern) An annotated pattern {P, {n^ : Q}keK) 
contains a pattern P and a set of dependencies to P's positive graph Q. 

Before presenting the deduction rules, we define an operation called pre- 
condition weakening (PW) , which tests whether the positive graph of a C-Pattern 
is included in another one, and then adds the negative pre-conditions from the 
former to the latter. 

Def. 9 (PW) Giwn Afce{i,2}[A»eP.e'= ^ P{Q'')] withQ' ^ , Pre'^ C 

Pre^ and function sub: Pre^ — > Pre^^ surjective s.t. VG,? G Pre^ , 3sub{Gf) 

Cf mjective; the PW operation results in [A^gp^^i "^{C}) P{Q^)]/\[K,(,pre^ N{Gf) 

^^ePre^-Pre^^ ^ {C} +q1 Q^) ^ P{Q^)], SCC Fig.^ 
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Fig. 4. PW: Transfer- 
ring tlie Negative Pre- 
conditions. 



Remark. The specification resulting from PW is 
not equivalent to the original one. The second pat- 
tern is added negative pre-conditions, so that it 
is satisfiable by more graphs, namely by those in 
which : C} +qi TrG (injective), as then 

is not forced to occur. However, we use this 
operation to make coherent a specification: as an 
occurrence of the second pattern implies an oc- 
currence of the first, by adding the negative pre- 
conditions we ensure that a positive satisfaction 
of the second implies a positive satisfaction of the 
first. 

Example. As S-Pattern C-T is included in A-Co, PW adds the negative restric- 
tion N (noParent) from the former to the latter. The resulting pattern is shown 
to the right of Fig. [5] (second row, to the left). 

Next, we show some deduction rules that preserve the specification semantics. 
We first present the deduction rule for two S-Patterns called S-Deduction and 
its annotation mechanism S'A(_, _). S-Deduction creates a new pattern handling 
an intersection of two S-Patterns, while the annotation mechanism adds such 
intersections dependencies to the two original patterns. Its correctness proof is 
shown in the appendix. 



Prop. 1 (S-Deduction) From Ake{i:2}iAtePre>' ^(^f ) PiQ'')], we deduce 

the new patterns /\MeMio(Q\Q--)[l\iePre^yjPTe? ^(G'i) A P(M) ^ P{Q^ +m 
Q'^)], where the C'^ are calculated as shown to the left of Fig. \^ 
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Fig. 5. Negative Pre-Conditions in S-Deduction (left). S-Annotation Example 
(right). 



Def. 10 (S- Annotation) Given two annotated S-Patterns {Pi,Di) with posi- 
tive graphsQ': SA{[Pi,Di),{P2,D2)) = {{P^, A UA/eM/o(Q\Q^){^^ ^ Q'})}^=l,2 
UMeM/o(Qi,Q2){('5'-D(Pi, P2, -A^), 0)}, with SD{Pi, P2, M) the resulting pattern 
from applying S-D eduction using M . 

Example. The right of Fig. O shows an example of S- Annotation, where the 
newly generated pattern (bottom right) considers the fact that the relation de- 
manded by pattern C-T may already exist. The procedure generates two ismor- 
phic negative pre-conditions, so that one can be eliminated. The added depen- 
dencies (Di) ensure that the first and second patterns will only be enforced by 
the operational mechanisms when no occurrence of Di is found. As we will see 
later, this makes the TGG operational rules generated for the first two patterns 
mutually exclusive with the one of the third, as well as confluent. Moreover, the 
rule for the third pattern will be able to reuse the structure created by the rule 
of the first. 

C-Deduction and its annotation mechanism CA(_, _) are generalizations of the 
S- case, with the difference that the new pattern integrates in its pre-condition 
the gluing of the original patterns pre-conditions. 

Prop. 2 (C-Deduction) From A,e{i,2} [A.eP.e'= ^(Cf) A PiC") ^ PiQ% 

we deduce the new pattern /\MeMio{Qi.Q2)lKePre^uPre^ ^ i^^D ^ PiP") =^ 
P{Q^ +M Q'^)], where the C[ are calculated as shown to the left of Fig. O and 
P'^ is calculated as shown in Fig. In this diagram, M'^ is the subgraph of M 

s.t. (Ci M""^ C2) e MI{C\C^), squares pc^ o mc^ = pm^ o {M" ^ M) 
are P. O. and morphisms pq^ : P^ — > uniquely exist due to the P. 0. universal 
property. For the same reason P'^ +m uniquely exists. 




Fig. 6. C-Deduction. 



Proof. In appendix. ■ 



The annotation procedure for C-Deduction is analogous to the one for S- 
Deduction. 

Next deduction rule is used to take into consideration the interaction of N- 
patterns, which express unconditional negative constraints, with other patterns. 

Prop. 3 (N-Deduction) [K,^p,,N{C,) P{Q) A,^p,,tN{C,)] A [N{Cn)] 

is equivalent to [A^eP^e ^(^0 ^ ^(<3) ^,ePo.t ^(^j) Ac.efls ^(^r)] with RS = 
{r" : Q Cr}crePO{Mi{Q,CN)) '^'^'^ PO{MI{Q,Cn)) is the set of pushout ob- 
jects of all spans in MI{Q, Cm)- 

Proof (Sketch). We have related Cn in all possible (maximal) ways with Q, which 
is given by the pushout of each span in MI{Q, C'n)- This is similar to the pro- 
cedure to convert a graph constraint into a post-condition [5I9| . I 
Remark. Removing N{Cn) does not yield an equivalent specification, as e.g. 
a graph with no occurrence of Q is allowed to have an occurrence of Cn- Note 
however that we will delete N-Patterns when generating the TGG operational 
rules, as these by construction cannot generate any forbidden pattern. 
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Fig. 7. N-Dcduction Example. 



Example. Fig.[7]shows how N-Pattern notDupF induces a negative constraint on 
S-Pattcrn A-Co2, resulting in the S-Pattern to its right. There are two isomorphic 
MIOs (both made of two Ts and one F) resulting in two isomorphic negative 
constraints, so that one is eliminated. 

The following deduction rule detects N-Patterns that forbid a repetition of 
structures and generates a positive pattern that reuses such structure. First, we 
define the completion of a triple graph M with respect to a graph T such that 
M ^ T. The completion adds to M\t all elements that are related to elements 
of M\s and belong to T — M, and similar for source elements. In addition, 
completion includes all unrelated elements of T. 

Def. 11 (Completion) C{M,T) ^ C iff C is the smallest graph s.t. M ^ 
G T A (Vn G VG\,,tm G VT\t - Vci^s.i. n rel m) A (Vx G VG\t,ty G Vt\^ - 



Vq^^sI. y rel x) A {$z £ {Vx\^ U Vt\^) — {Vq^^ U Vq^^) s.t. z is unrelated). G also 
contains all edges of T with source and target in nodes ofG. 
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Fig. 8. Example of Completion. 



Example. Fig. [8] shows an example of completion, where graph M is completed 
with respect to graph T, yielding graph C(M, T) . Note that M ^ C{M, T) ^ T. 

Prop. 4 (NP-Deduction) [AiePre ^(^i) ^ PiQ)]^[N (S)], with S the pushout 
of two isomorphic graphs Si = 52 and Si G MIO{Q, S), is equivalent to [AiePre 
N{a) ^ P(Q)] A [N{S)] A [A,;eP.e ^(^0 ^ P{C{Si, Q)) ^ P(g)]. 

Proof C{Si,Q) ^ Q, thus [P{C{Si,Q)) ^ P{Q)] is subsumed by P{Q). U 

The NP-Deduction rule has an associated annotation rule NP{_ ,_), which 
adds a dependency to the S-Pattern equal to the positive pre-condition of the 
newly generated pattern. 

Def. 12 (NP-Annotation) NP{{/\^^p^^N {d) ^ P{Q), D), {N (S), D' j) = 

HK^Pre Nia) ^ P{Q), Dyj{C{Si,Q)]), (N{S), D'), (A.^P^e N{a)APiCiSi, Q)) ^ 
P{Q), 0)}, with S the P. 0. of two isomorphic graphs Si ^ S2 and Si G MIO{S, Q). 

Example. Fig.[n]shows the derivation of C-Pattern A-Co2 . notDupF from A-Co2 
and notDupF. The latter is made of the pushout of two isomorphic graphs made 
of two Ts and one F. which belongs to MI0(A-Co2, NotDupF). The completion 
of one of the isomorphic graphs with respect to A-Co2 is the pre-condition graph 
P() of A-Co2 . notDupF. The newly generated pattern reuses two Ts and one F 
so that the rule to be generated from it will not produce the situation forbidden 
by notDupF. The annotation procedure adds a dependency to A-Co2 so that the 
generated rule will be mutually exclusive with the one for the deduced pattern. 

NP-Deduction has a generalization, called CNP-Deduction which handles the 
case of a C-Pattern and an N-Pattern. The main difference with NP-Deduction 
is that the pre-condition of the generated pattern has to glue the positive pre- 
condition of the C-Pattern through the MIO (as in C-Dcduction). 



P(A-Co2) 



P(A-Co2) 



Dl 



N(notDupF) 



|cjuC^ -«->|tijJ| 
|c2:C|<-»->|t2:T| 



P (A-Co2 . notPupF ) 



P() 



N (notPupF) 











|cjUC^ T»r>|tlJ 

$ : : 5 

c2:C|<-»'>|t2:T 



|ci^^-«->|tlJ^n 
|c^| <-<-> [t^ 

'2]<-«->[^ 

:Co 



Fig. 9. NP-Dcduction and Annotation Example. 



Prop. 5 (CNP-Deduction) [^^^p^^N{Ci)^P{C) ^ P{Q)]^[N{S)], with S 
the pushout of two isomorphic graphs Si = S2 and Si 6 MIO{Q, S) is equivalent 

to IK^Pre A P (C) ^ PiQ)] A [N{S)] A [A.^p,, iV(Q) A P (P.) PiQ)], 

where Pg is calculated as shown in Fig. \10l with cp o c = sp oh a P.O. square. 

Proof. In appendix. ■ 




c(Si,o)C 




C{Si,Q)^b- 



Fig. 10. CNP-Deduction. 



4 Generating the Operational Rules 

This section details the generation of operational TGG rules from a M2M spec- 
ification. Note that compilation into other formalisms is possible, e.g. to a con- 
straint satisfaction problem in the style of [TT] . We first introduce the structure 
of a non-deleting TGG rule. 

Def. 13 (Non-Deleting Oper. TGG Rule) A TGG ruler ^ [L R,pre = 
{ni : L —>■ N\^i^i,post — {uj : R Np}j^j) is made of an infective morphism 
I of triple graphs, and sets pre and post of negative pre- and post-conditions. 



Although negative post-conditions can be translated into negative pre-conditions 
using the procedure in |5I9| , we use a set for them for simplicity of presentation. 

Next we show how to generate a TGG rule given an annotated C-Pattern. 
The main idea is to use Pg = C +c\s Q\s = {Q\s, C\c, C\t) as the LHS (for the 
forward rule) and Q as the RHS. The negative pre- and post-conditions of the 
C-Pattern are used as negative pre- and post-conditions of the rule. Note the 
similarities with the satisfiability of patterns (Dcf. [5]and Fig.[2|). The rule's RHS 
is used as a negative pre-condition so that satisfiability is enforced only once. 
Finally, dependencies are converted into negative pre-conditions. 



Def. 14 (Derived TGG Rule) Given annotated pattern T ^ (AiePre ^(^0^ 
P(C) => P{Q)A^^p^^^N{C,),D = {n^: Dk ^ Q}keK), the following TGG op- 
erational rules are derived: 

- Forward. ^ : (L = (g|„ C|t) '^"^^^''^ R ^ Q^pre = {n: L ^ 
R}U{af: L ^ Ni\L ^ A^/}.eP,e U {s^': L ^ S''}keK,post = {n, : R ^ 
^j}jePost)- 



Backwards, 

R}U{al: L ^ Nl\L ^ ND^^Pre U {s'= : L 

Cj]]£Post). 



Q,pre 



-- {n: L 
{nj : R 



where Nf = Ci\x +c|x ^ ' ^'^'^ ■ ~* uniquely determined (see Fig. [ 

where Px = L). S'' is the left- extension of Dk, see left of Fig. [771 where oh^ 
r o l'^ and d^ oh'' ^ s^ o l^ are pullback and pushout squares respectively. 
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Fig. 11. Left Extension of Dk Q (left). Generated Forward Rule A-Co (right). 



Example. The right of Fig. [TT] shows the generated forward rule from the an- 
notated pattern A-Co shown in Fig. [5] Note how the NAG forbids applying 
the rule if the node C has an associated T. In this case, the rule generated from 
the derived pattern C-T.A-Co in Fig. [5] would be applicable (see rule C-T.A-Co 
in Fig. [El). 

Before generating the rules we use the deduction and annotation mechanisms 
on the initial M2M pattern specification in order to transform N-patterns into 
negative post-conditions of the other patterns, generate patterns that take into 
consideration the satisfaction of other patterns, and identify dependencies be- 
tween patterns. As stated before, we assume that the initial specification does 



not include patterns with both a positive graph and a negative post-condition 
(as the latter can be expressed with N-Patterns). 

Def. 15 (Generation of Operational TGG Rules) Given specification S: 

1. Use PW (Def.\^ on all possible patterns. 

2. Use C- or S- Annotation (Def. I for each pair of C- or S-Patterns. Do not 
derive a pattern if it already exists. 

3. Use NP- Annotation (Def. WBjl on all possible patterns (initial and derived). 
4- Use N-Deduction (Prop.\B^ on all possible patterns and eliminate N-Patterns. 

5. Take each derived pattern, and add to it all dependencies of the patterns it 
was derived from. Do not add such dependencies if they are included in the 
positive pre-condition of the derived pattern, as the pattern would become 
useless. 

6. Generate an operational TGG rule for each causal pattern (Def. f75|). 
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Fig. 12. Some of the Generated Forward Operational Rules. 



Example. Fig. [T^ shows some of the generated forward rules. Rule C-T is gen- 
erated from pattern C-T. NACl results from a pre-condition, while NAC2 is 
equal to the RHS. Rule A-Co results from pattern A-Co. NAC3 comes from the 
PW operation with pattern C-T, NAC2 is equal to RHS, and NACl is derived 
from a dependency when making S-Deduction with C-T. Rule C-T . A-Co is gen- 
erated from a pattern derived from C-T and A-Co through S-Deduction. Its first 
NAC comes from a dependency induced by their source patterns. Finally, rule 
A-Co.notDupF results from NP-Deduction (see Fig.O, where NACl and NAC2 
come from pre-conditions of the patterns from which it is derived, and NAC3 
comes from a dependency. These two last rules have some additional NACs (not 



shown), stemming from N-Deduction with pattern notDupF. The procedure gen- 
erates a total of 10 rules, shown in Figs. [T51 [HI and [T51 



A-C02 1 




Fig. 13. Some of the Generated Forward Operational Rules. 
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Fig. 14. Some of the Generated Forward Operational Rules. 
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Fig. 15. Some of the Generated Forward Operational Rules. 



4.1 Correctness of the Operational Mechanisms 

Now we show the correctness of the generated rules, focussing on forward rules 
as a similar reasoning holds for the backwards case. The generated rules: (i) 
must produce models satisfying the specification, (ii) must be confluent, (iii) 
must terminate, and (iv) must transform each source model for which there is a 
correct target model. 

(i) follows from the construction of the TGG rules. Their LHS is {Q\s, C\c, C\t) = 
C' +c|s Q\s = Ps, which is the base graph from which forward satisfaction is 
checked (see Fig. [2]). As i? = Q, morphism m: Q ^ TrG exists after the ap- 
plication of the rule. The rule negative pre- and post-conditions are derived 
from the negative pre- and post-conditions of the pattern. Thus, the rule can 
be applied iff the base morphism m'^ exists and the negative pre- and post- 
conditions of the pattern are satisfied. The additional NAG = R makes the 
rule enforce the pattern once. As initially all forbidden graphs are expressed 
as N-Patterns, and we have performed N-Deduction, no rule can produce 
a forbidden result. Since we start with an empty target graph, backwards 
satisfaction is also obtained. Finally, the rule has additional NACs derived 
from dependencies, however these just allow the execution of exactly one of 
the rules enforcing a given pattern so that they are confluent (see (ii)). 

(ii) follows because S- and C-annotation add dependencies (which are trans- 
formed into NAGs) to the initial patterns, and these are appropriately prop- 
agated to their derived patterns in step 5 of the rule generation process. 
Fig. [16] shows that a rule Li Ri and a derived one through S-Deduction 
L3 i?3 are mutually exclusive. Si is the resulting NAG generated from the 



dependency of the first rule. In a situation where Li and L3 are apphcable, 
by the pushout universal property, there is a match of the NAC 5*1. Thus, 
the first rule is not applicable. 



Fig. 16. Mutual Exclusion of Li Ri and L3 R3 (left). Applying first and 
third rule (right). 



Note however that initially we may have patterns included in others: [P{Qi)]A 
[P{Q2)] with Qi ^ Q2- In this case, S-Deduction generates [P{Qi)] A 
[PiQ2)] A [P{Qi) =^ P{Qi +Qi Q2)] (assuming just one MIO), from which 
we generate three rules. There is a conflict between the first two rules (i.e. 
a critical pair). However in a situation where both the first and the second 
are apphcable (e.g. if we have Q2\s TrG), applying the first and the third 
is equivalent to applying the second. The right of Fig. [12] shows that the 
existence of i?i — > TrG and R3 TrG implies the existence of R2 — *■ TrG. 
Besides, we cannot apply the first and the second, because of the generated 
NACs: the second rule is added i?i as NAC (as Qi = Ri ^ Q2 ~ ^2)- 
Example. Consider the rules for the patterns C-T and A-Co and their derived 
pattern (C-T . A-Co see Fig. fT^ . Assume a situation where both C-T and A-Co 
are applicable. If C-T is applied first, then A-Co is disabled, but C-T. A-Co 
can be applied. If A-Co is applied first, then no other rule is applicable. 
However, in both cases we reach the same result. 

(iii) follows from the fact that (a) each rule has its RHS as a NAC, therefore it 
can only be applied once for each initial match in the source model; and (b) 
a forward rule only changes the target model. 

(iv) cannot be achieved for arbitrary M2M specifications. We restrict to what we 
call Injective Positive Specifications, which contain enough positive patterns 
to produce the operational TGG rules. Next definition introduces the forward 
case (FIP), the backwards one is similar. 



Def. 16 (FIP Spec.) Specification S = A,=i „ is FIP, iff MM, e L{MMs) 
s.t. 3TrG = {M„X) ^ S,3k, e N, 3P] ^ ^ with = C" +0-1, 
Q™U u = {l..h}, V = {!..%} and S^i ^ PI if i = j, s.t. G is the colimit of 
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Fig. 17. Condition for FIP (left). Non-FIP Specification (center). Invalid Graph 
(right). 



Remark. The definition considers ki occurrences of each pattern T^. Two occur- 
rences of patterns Ti and Tj can overlap, and this is modelled by 5'^{,. We forbid 
P* be the overlap of two occurrences of the same pattern Q', as the operational 
mechanism minimally enforces each pattern (i.e. rules have a NAC equal to the 
RHS). We have made a simplification in the diagram, but each occurrence of Ti 
should satisfy its negative pre- and post-conditions. 
Example. Consider the specification in the cen- 
ter of Fig. 1171 and assume we do not perform any 
deduction. There is a valid triple graph TrG with 
two As in its source, but the rules generated with- 
out deduction cannot create such graph, as they 
would produce two Bs. 

The NP-Deduction rule can turn some non- 
FIP specifications into FIP. This is because it cre- 
ates a new pattern that reuses an already cre- 
ated structure (in the target graph). The right of 
Fig. [T71 shows that if NP-Deduction is not applied, 

we cannot handle a graph with two As. Fig. [18] Fig. 18. FIP Specification, 
shows that after applying NP-Deduction, the re- 
sulting pattern can handle such graph as it reuses 

a B and is applied twice. It is up to future work to determine further deduction 
rules to cover additional non FlP-specifications. 



5 Analysis of the Transformation Specification 

This section gives an overview of some of the properties that can be analysed 
from a pattern-based specification 5*. We distinguish three levels: pattern, spec- 
ifications and operational mechanisms. 

Pattern Analysis. We can analyse single patterns or pairs, for example: 

— Pattern Conflict (PC). Two patterns are in conflict if they express con- 
tradictory constraints. This is for example the case of specification [P{Qp)\ A 



[N{Qn)] with Q]y > Qp. In this case the generated TGG operational rule 
can never be applied. Thus, an initial graph of the form TrG = Qp\s does 

not have a valid target model, and cannot be transformed according to S . 

— Tautology (T). A pattern is a tautology if it is always satisfiable. This 
is the case of patterns with the forms: (i) [N{Q) P{Q)], as it is always 
either vacuously or negatively satisfied, and (ii) [P{Q) ^ PiQ)] as it is 
always cither vacuously or positively satisfied. 

— Contradictory (C). A pattern is contradictory if it can never be positively 

satisfied. This is the case of a pattern with the form [P{Q) A N{Q)], which 
can only be vacuously satisfied. 

Specification Analysis. These define properties of the specification as a whole: 

— Language Covering (LC). A pattern specification is source covering iff 
Wp6S+ tyP^{P\src) is surjective, where is the set of positive patterns of 5. 
This means, that we have patterns that handle each construct of the source 
language. A similar notion can be defined for the target language. 

Full Forward, Backwards or Relating (FF, FB, FR). A specification S 

is FF (resp. FB) iff \DomCs)\ = \L{MA'Q\ (resp. \DomCs)\ = \L{MMt)\). 
A specification is FR iff it is FF and FB. If a specification is not FF, it means 
that is not defined for all valid models of the source language. Obviously, if 
a specification is not source LC it is neither FF nor FR (the converse in not 
necessarily true). Similarly a specification that is not target LC is not FB 
nor FR. A pattern conflict makes the specification not to be FF or FB. 

— Contradiction(C). A specification 5' is a contradiction if the empty graph 
is the only graph able to satisfy it (i.e. no graph positively satisfies S). This is 
the case of a specification which is source LC with all patterns contradictory. 
Forward, Backwards or Relating Univalued (FU, BU, RU). S is FU 

iff VA/s e Dom(S), \{MT\{Ms,Mt) h S}\ = 1. Note that aU specifications 
with our technique arc FU, BU and RU. 

Operational Mechanisms. It is also possible to study properties of the gen- 
erated TGG rules, for example: 

— Hippocratic Transformation (HP), (taken from [TUj) IfVA/^ £ L(Af A/^), 

Mt e LiMMt) s.t. {M,,Mt) ^ S =^[S{{Ms,Mt))\t^MtAS{{M,,Mt))\s = 
Ms]. This property states that if a triple graph satisfies a specification, the 
application of S' or 5' will not modify the triple graph. The transformations 
we generate are HP, as our rules minimally enforce each pattern (they have 
NACs equal to RHS). A formal proof is left for future work. 

6 Related Work 

Some declarative approaches to M2M transformation use a textual syntax, e.g. 
PMT [12] or Tefkat [13]. These two particular notations are uni-directional, 
whereas we generate forward and backward transformations. 



Among the visual declarative approaches, a prominent example is the stan- 
dard language QVT-relational [2] , which also has a textual syntax. The relations 
may include when and where clauses that identify pre- and post-conditions and 
can refer to other relations. From this specification, executable QVT-core is gen- 
erated that performs forward/backward transformations given a source/target 
model. This approach is similar to ours, but we compile our patterns to TGG 
rules, allowing the analysis of the generated transformation [S]. Besides, we can 
make analysis at a higher-level as our patterns have a formal foundation. More- 
over, we automatically detect pattern dependencies and perform pattern infer- 
ence. In the QVT-relations language, dependencies must be made explicit in 
the when and where clauses, and there is no equivalent to our N-Patterns. An 
attempt to formalize QVT-core is found in [T^ . 

In [15j . transformations are expressed through declarative relations made 
of positive patterns, heavily relying on OCL constraints, but no operational 
mechanism is given to enforce such relations. In BOTL |16| . the mapping rules 
use a UML-based notation that allows reasoning about applicability or meta- 
model conformance. We can reason both at the specification and operational 
levels. 

TGGs [4] formalize the synchronized evolution of two graphs through declar- 
ative rules. From this specification, low-level operational TGG rules are derived 
to perform forward and backwards transformations, as well as to relate two exist- 
ing graphs. We also generate these operational rules from our patterns. However, 
whereas in declarative TGG rules dependencies must be made explicit (i.e. we 
must say which elements should exist and which ones are created), in our pat- 
terns this information is derived. For instance, in TGGs, a rule like pattern 
C-T.A-Co has to be specified, it is not enough to give C-T and A-Co. 

Although inspired by TGGs, our patterns are a different approach to M2M 
transformation: patterns specify relations, not rules. Similar to graph constraints |9I17| . 
a M2M specification by patterns describes a language of valid triple graphs. 
Moreover, TGGs have some limitations. First, they do not allow specifying 
negative information, nor deriving positive information from negative one (like 
NP-Deduction). In [6], the lack of negation is alleviated by assigning execution 
priorities to rules. However, this is insufficient to simulate general application 
conditions, it has an operational nature, and implies knowing the rule genera- 
tion mechanism and execution engine. Second, a control mechanism is needed to 
guide the execution of the operational rules, such as priorities [6] or their cou- 
pling to editing rules [3j. One can see TGGs as a subset of our approach, where 
a TGG rule is a pattern of the form P{L) P{R) without negative conditions 
or deduction techniques. 

In [18], an algorithm is given for the derivation of declarative TGGs from 
example pairs of models. Interestingly, the user does not have to specify the 
correspondence nodes in these pairs. The employed techniques resemble our 
use of MIOs, however, our patterns are richer, as we allow negative pre- and 
post-conditions, and we have developed a theoretical framework which includes 
further derivation techniques (e.g. NP-Deduction). 



With respect to graphical patterns, in the recent work in [T7], a logic of 
constraints and some deduction techniques were proposed. However, their ba- 
sic constraints are existentially satisfied, while ours are universal. Moreover, we 
provide deduction techniques specially tailored for M2M specifications and triple 
patterns. In |19| we presented a simpler notion of pattern and used it to extend 
normal rules to synchronous TGGs. We applied it to the synchronization of the 
concrete and abstract syntax of visual models. The patterns were restricted to 
work with positive information, and the execution of the derived rules was asso- 
ciated to editing rules (like traditional TGGs). Here we present a new concept of 
pattern, which allows expressing negative conditions, introduce deduction rules 
and present a new algorithm for TGG rule derivation that is suitable for M2M 
transformation and does not need a normal rule to start with. 



7 Conclusions and Future Work 

In this paper we have presented a new formal approach to declarative M2M 
transformation. Relations between source and target models are expressed as 
different kinds of patterns, from which operational TGG rules are derived im- 
plementing forward/backwards transformations and taking into account pattern 
interactions. This is done by deduction mechanisms that detect interdependen- 
cics and produce new patterns that reuse structures created by other patterns. 
This is one of the strengths of the present work: pattern dependencies are au- 
tomatically calculated and not explicitly given by the designer such as with 
QVT and TGGs. We have identified analysis properties, both at the specification 
(e.g. language covering, pattern conflicts) and operational levels (e.g. hippocratic 
transformations [l0|). 

Although we generate operational TGG rules from a pattern specification, 
other target formalisms could be used as well (e.g. OCL, Alloy). In fact, one of 
our next goals is expressing a specification in terms of a constraint satisfaction 
problem, in the lines of . This would eliminate some problems of the compi- 
lation into rules, such as the restriction to handle FIP specifications only. Note 
that with the theory presented so far we can handle attributes, but not attribute 
conditions or computations. Our aim is to use OCL and the analysis techniques 
we proposed in [llj . 

We are also investigating additional analysis properties at the specification 
and operational levels. It would be interesting to extend the set of derived op- 
erational rules to handle incremental synchronization and change propagation, 
using the techniques in |20| . More complex patterns able to deal with recursion 
or have parameters are also under consideration. Finally, we aim to formalize a 
part of QVT using this technique. 
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Appendix: Proof of Some Results 



Proof of Prop. [TJ We show the equivalence of forward satisfiability, as a similar 
reasoning holds for the backwards one. We have to show that TrG \=f Ti = 



TrG h=F T2, obviously TrG Ti. Lets then assume that TrG Ti and 
check all possible cases: 

(a) Both P(Q') are positively satisfied and there is one occurrence of both: 
Bmf ■.Q'\s-^ TrG, m,: Q' ^ TrG with mf = m, o g| (see left of Fig. [TO)) . 
There are two possibilities: either 3Mj G MIO{Q^ ,Q^) = mi{Q^) XxrG 
m2{Q^) or not. In the first case, = [P{Mj) ^ P{Q^ +m, Q^)] is pos- 
itively satisfied and the other [P{Mk) => P{Q^ Q^)] are vacuously 
satisfied. This is so as we first build the P.O. Q^, and then mor- 

phism m| : +Mj TrG exists due to the P.O. universal property (see 

left of Fig.Iini). Moreover, ruj : = Mj +m,\, {Q^ +m, Q'^)\s TrG exists 
for the same reason (see right of Fig. [T9|) . In the second case, all patterns 
[P(Mfe) ^ P{Q^ +Mk Q^)] are vacuously satisfied. 




Fig. 19. Positive Satisfaction of P{Q^ Q^) given positive satisfaction of 

(b) P{Q^) is positively satisfied and P{Q^) vacuously satisfied. In this case 

Q2\s ^ TrG, and therefore : Mfc +m,u +m, Q^)\s) ^ TrG 
(because Q^\s ^ +Mk\, {{Q^ +J\fk Q'^)\s)) and therefore each P{Mk) => 
P{Q^ +Affc Q^) is vacuously satisfied. 

(c) If both P{Q^) are vacuously satisfied by the same reasoning each P{Mk) =J> 
P{Q^ +Mk Q^) is vacuously satisfied. 

(d) li P{Q^) is positively satisfied and P{Q^) is negatively satisfied (assume just 
one instance of each), then Bmf : Q^\s — > TrG, m| : Q^l^ ^ TrG, mi : 

TrG, {Gf\s = Nf") TrG (see Fig. ^. There are two possibilities: either 
3Mj e MIO{Q^,Q^) s.t. Mj\, ^ mf(Qi|^) XTrG ^^(Q^W or not. In the 

second case, all P{Mk) are vacuously satisfied. 
In the first case we have that: 
• 3ej : Q^\s +Mj\, Q'^ls = {Q^ +m, Q^)\s TrG due to the P.O. universal 
property. See the right of Fig. [2Q1 
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Fig. 20. Positive Satisfaction of P{Mj) given positive satisfaction of P{Q^) and 
negative satisfaction of P{Q^). 

• 3mJ: M| = AIj +Mj\^, +m Q^\s ^ TrG due to the P.O. universal 
property, thus the base morphism of Mj exists. See the left of Fig. 

In this diagram, square Mj\s ^ Mj ^ Qi ^ M'f = Mj\s {Q^ +Mj 
Q'^)\s M'f is a P.O. Then, m'^ = m]' o mf. 

• Morphism : C^'j^ — > TrG (where Cl\s is the source component of the 
pre-condition of Mj derived from Cf) exists due to the universal P.O. 
property, see the right of Fig. [2T] Therefore Mj is negatively satisfied. 
The other P{Mk) are vacuously satisfied. 




TrG 

Fig. 21. Positive Satisfaction of P{Mj) given positive satisfaction of P{Q^) and 
negative satisfaction of P{Q^). 

(e) A similar reasoning follows if both P{Q'^) are negatively satisfied. 

(f) If P{Q^) is negatively satisfied (with just one instance) and P{Q^) is vacu- 
ously satisfied, then all P{Mj) are vacuously satisfied. 

If there is more than one occurrence of a pattern either positively or nega- 
tively satisfied, we do all combinations but they reduce to the previous cases. Now 



let's assume that some Ti is not satisfied. If TrG i^F Ti, obviously TrG 72. 
Let's assume that TrGi^p ^2. We check all the cases: 

(a) liTrO^F P{Q'), then TrO^Ti. 

(b) If TrG "PiMj) =^ P{Q^ +M, Q^), this means that 3my. Mj +m,u 
((0^ +M, Q')|.) TrG, : +m, ^ TrG and $n'^ : N^^ TrG 
(where are the derived negative pre-conditions). As exists, both 
mf : Q'ls ^ TrG exist because Q'U ^ +a/,U ((Q^ +m, As no < 
exists, the negative pre-conditions of are satisfied. As rrij does not exist, 
some rrii : TrG must not exist because Q* ^ -|-m <5^- Thus, either 
TrGi^F P{Q^) or TrG^p P{Q^), therefore TrGt^p Ti. 

m 

Proof of Prop. [2l The proof is similar to the one for S-Deduction. We show 
the equivalence of forward satisfiability, as a similar reasoning holds for the 
backwards one. We have to show that TrG \=f Ti = Afce{i 2}[AiePre'= ^i'^i) ^ 
PiG") ^ P(Q'=)] iff TrG T2 = {^ue{la^^^ePre^N{G'^)^P{G'^) 

Q^K.ePre-^Pre- ^ [G'^) A P(P^) ^ P{Q^ +M Q^)] (see 

Fig.©. If TrG [=^fT2, obviously TrG ^pTi. Lets then assume that TrG ^pTi 
and check all possible cases: 

(a) Both P{Q^) are positively satisfied and there is one occurrence of both: 
3mf : PI TrG, rrii: ^ TrG with mf = rrii o qf. There are two possi- 
bilities: either 3Afj e ]\IIO{Q^,Q^) = mi{Q^) XttG ™2(Q^) or not. In the 
second case, all S'^ = [P{Pk) ^ P{Q^ +Mk Q^)] are vacuously satisfied. In 
the first case, ~ [P{Pj) P{Q^ +Mj <3^)] is positively satisfied and 

the other [P{Pl:) P{Q^ +Mk Q^)] a-rc vacuously satisfied. This is so as 
(i) +Mj due to the P.O. universal property, (u) 3_P^ TrG for the 
same reason and (iii) 3Afj' — > TrG. 

(b) P{Q^) is positively satisfied and P{Q^) vacuously satisfied. In this case 
Jto|: P2 ^ and therefore ^m/^: P<r +po|^ ((Q^ +m, Q'^)\s) -> TrG 

(because Q\ --^ P/ +p^\^ {{Q^ +m, Q^)\s)) and therefore each P{P^) ^ 
P{Q^ +A/fc Q^) is vacuously satisfied. 

(c) If both P{Q^) arc vacuously satisfied by the same reasoning each P{P^) ^ 
P{Q^ +Mk Q^) is vacuously satisfied. 

(d) If P{Q^) is positively satisfied and P{Q^) is negatively satisfied (assume just 
one instance of each), then either all P{P^) are vacuously satisfied, or one 
P{Pj) is negatively satisfied. 

(e) A similar reasoning follows if both P{Q^) are negatively satisfied. 

(f) If P{Q^) is negatively satisfied (with just one instance) and P{Q^) is vacu- 
ously satisfied, then all P{Pj) are vacuously satisfied. 

If there is more than one occurrence of a pattern either positively or nega- 
tively satisfied, we do all combinations but they reduce to the previous cases. 
If some Ti is not satisfied the proof is analogous to the one for S-Deduction. 



Proof of Prop. [5j We have to proof that if Ti = P (C) => P{Q) is satis- 
fied, so is T2 = P{Ts) =^ P{Q) with C ^ Ts ^ Q. Again, we show forward 
satisfaction, as a similar reasoning holds for the backwards one. 

If TrG \=fT2, then TrG Ti. Let's assume that TrG is satisfied 

and check all the cases: 

(a) If Ti is positively satisfied, then so is T2, as Fig. [22] shows. The left diagram 
shows that 3Ts — > TrG due to the P.O. universal property. The right diagram 
shows that 3P^ = Ts +t,\s Q\s ^ TrG for the same reason. 



Fig. 22. Positive satisfaction of T2 given positive satisfaction of Ti. 

(b) Lets assume that Ti is negatively satisfied. Then 3Ci\s — > A'i — > TrG. There 
are two options, either 3Q — > TrG or not. In the first case, by item (a), we 
have that 3Ts TrG. But then, by the P.O. universal property 3iV'* 
TrG, and hence T2 is negatively satisfied. If $Q — » TrG, then either 3Ps — » 
TrG or not. In the first case 3T, TrG and therefore 3N" TrG and T2 
is negatively satisfied. In the second case T2 is vacuously satisfied. See the 
left of Fig. El 
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Fig. 23. Satisfaction of T2 given negative satisfaction of Ti (left). 



(c) Lets assume that Ti is vacuously satisfied. Then (i) $Ts — > TrG, because, as 
3C Ts if it would exist then we would have C TrG; (ii) -> TrG, 
as $Ts — > TrG and Tg Pg. Hence, T2 is vacuously satisfied. 



